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© A method for the secure storage and retrieval of 
data including the steps of placing a removable user 
access unit into a security access port operatively 
associated with a computer, generating a first string 
of symbols, generating a second string of symbols in 
the user access unit based on the first string of 
symbols, encrypting the data based on the second 
string of symbols to form an encrypted data block 
and storing the encrypted data block in a non- 
volatile memory. The method also includes, during 
data retrieval the steps of retrieving the stored en- 
crypted data from the non-volatile memory, regener- 
ating the first string of symbols, regenerating the 
second string of symbols in the user access unit and 
decrypting the encrypted data based the second 
string of symbols to form decrypted data. 



CPU 











nifEP 



(Fssr sinNC or swscisj 



comoL worn 

(SBCQND snsko Of svveois) 



: USER 
lADCBS UV7. 



riG.i 



LU 



Rank Xeroi (UK) Business Services 

(3.10/3.S-/3.0. II 



BNSOC3CID: <EP 0&37925A1J > 



1 



EP 0 537 925 A1 



2 



FIELD OF THE INVENTION 

This invention relates to computer systems and 
more particularly to security systems for comput- 
ers. 

BACKGROUND OF THE INVENTION 

For large computer systems with many users a 
number of methods have been developed for pro- 
tecting the system from invasion by unauthorized 
users and for protecting data transmitted by remote 
users from interception. For smaller PC systems 
generally only access control systems are avail- 
able. 

U.S. Patent 3,764,742 describes a cryptograph- 
ic credit card device which is inserted by a remote 
user of a central computer system into a reader 
when he wishes to log-on to the system. The credit 
card device is operative to generate an encrypt key 
when primed with a string of priming characters. 
The central computer has the algorithms used by 
all of the authorized users to generate their encrypt 
keys in its memory. In operation the user logs-on 
at the terminal by typing in a short string. The 
computer checl^s this log-on string with a listing in 
the central computer. If there is a match, the com- 
puter generates random priming characters which it 
sends to the remote terminal. Logic In the card 
generates an encrypt key based on the random 
priming characters. The operator enters a personal 
ID which the terminal encrypts with the encrypt key 
and sends to the central computer. The central 
computer utilizing the same algorithm as the card, 
decodes the encryption and compares the result 
with the proper ID, If the operator entered the 
correct ID, the operator can communicate with the 
central computer. In a secure communication 
mode, the central computer periodically generates 
a set of priming characters which are used by the 
terminal for encryption and by the central computer 
for decryption. The data is apparently stored in the 
central computer memory in "clear" form. 

Other U.S. Patents which provide for remote 
user identification and/or encryption of transmitted 
messages are U.S. Patents 3.806.874; 4,599.489; 
4,951.249: 4.800.590; 4.819,267 and 4,691,355. 

U.S. Patent 4.588.991 describes a system In 
which data is stored in encrypted form on the 
storage medium of the central computer. This pat- 
• ent describes a system for enhancing security of 
the data by changing the encryption key when the 
system is accessed. 

Other well known systems utilize an electronic 
or mechanical key system to gain access to per- 
sonal or one-user systems. However, to protect 
computers from data theft, users must use de- 
tachable units such as diskettes or Bernoulli disks. 



and store the units in a safe place after work hours. 

SUMMARY OF THE INVENTION 

5 The object of the present invention is to pro- 

vide a computer system in which security is not 
dependent solely on access to or the physical 
security of the stored data. Unlike previous sys- 
tems which depend on limiting access to the com- 
10 puter or on encrypting information using codes 
which are also physically available in the computer 
and/or to persons other than the user, the system 
of the present invention protects the data by stor- 
ing the data in encrypted form using an encryption 
IS key which is present only in a removable user 
access unit in the sole possession of the user. 

Thus a numl)er of users can have access to 
the same data files but only the user who actually 
entered the information in the file can read the file, 
so In a preferred optional embodiment of the sys- 

tem the allocation files of the system are also 
encrypted using the card and access to the system 
is thus limited to holders of the user access unit or 
a clone of the user access unit. 
25 The system can t>e used as a stand alone 

protection system or is preferably used in conjunc- 
tion with other available user access 
identification/restriction systems. Thus the user ac- 
cess unit can have additional terminals which sup- 
so ply user identification information which are re- 
quired for access to the system and which may be 
used by users having different user access units. 

There is therefore provided, in a preferred em- 
bodiment of the invention, a nr>ethod for ttie secure 
35 storage and retrieval of data including the steps of, 
placing a removable user access unit into a secu- 
rity access port operatively associated with a com- 
puter, generating a first string of symbols in the 
computer, generating a second string of symbols in 
40 the user access unit based on the first string of 
symbols, encrypting the data based the second 
string of symbols to form an encrypted data block 
and storing the encrypted data block in a non- 
volatile memory. 
45 In a preferred embodiment of the invention the 

first string of symbols is generated in the com- 
puter. In an alternative preferred embodiment of 
the invention the first string of symtx>ls is gen- 
erated in the user access unit. 
50 In a preferred embodiment of the invention the 

method includes the step of storing the first string 
of symbols together with the data block in the non- 
volatile memory. 

Preferably the step of generating the first string 
55 of symbols includes the step of generating a ran- 
dom s-.ring of symbols. In an alternative preferred 
embodiment of the invention the step of generating 
the first string of symbols includes determining the 
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address at which the encrypted data is to be 
stored. Generally, when the first string of symbols 
is based on the address, the first string of symbols 
need not be stored with the data block. 

Preferably the step of generating the second 
siring of symbols from the first string utilizes a one- 
way hashing function. 

In a preferred emtjodiment of the invention the 
method also includes the steps of retrieving the 
stored encrypted data from the non -volatile mem- 
ory, transmitting the first string of symbols to the 
user access unit, regenerating the second string of 
symbols in the user access unit and decrypting the 
encrypted data based on the second string of sym- 
bols to form decrypted data. 

There is further provided, in accordance with a 
preferred embodiment of the invention, apparatus 
for secure storage of data including a terminal, a 
security access port operatively associated with the 
terminal adapted to receive a user access unit, 
seed generating means for generating a first string 
of symbols, control word generating means for 
generating a second string of symbols in the user 
access unit based on the first string of symbols, 
encrypting means for encrypting the data based on 
the second string of symbols to form an encrypted 
data block, a non-volatile memory and storage 
means for storing the encrypted data block in the 
non-volatile memory. 

In a preferred embodiment of the invention, 
scrambling words based on the second string of 
symbols are utilized to form the encrypted data 
block and for decrypting the encrypted data. 

In a preferred embodiment of the invention the 
seed generating means includes means for deriv- 
ing the first string of symbols from the address of 
the encrypted data block in the non-volatile mem- 
ory. In an alternative preferred embodiment the 
seed generating means includes an essentially ran- 
dom symbol generator, wherein the first string of 
symbols is derived from the output of the essen- 
tially random symlxil generator. 

Preferably, the apparatus for secure storage 
includes means for storing the first string of sym- 
bols together with the encrypted data. Generally, 
when the first string of symbols is based on the 
address, the first string of symbols need not be 
stored with the data block. 

In a preferred embodiment of the invention the 
apparatus for secure storage includes retrieving 
means for retrieving the stored encrypted data 
from the non-volatile memory, regenerating means 
for re-generatIng the first string of symbols, means 
for applying the first string of symbols to the word 
generating means and for receiving therefrom a 
regenerated second string of symbols, and decryp- 
ting means for decrypting the encrypted data 
based on the second string of symtx^Is to form 



decrypted data. 

There Is further provided, in accordance with a 
preferred embodiment of the invention a computer 
system including a terminal, a security access port 

5 operatively associated with the terminal adapted to 
receive a user access unit, a non-volatile memory 
containing stored encrypted data, means for re- 
trieving the stored encrypted data from the non- 
volatile memory, seed generating means for gen- 

70 erating a first string of symbols, control word gen- 
erating means for generating a secorKi string of 
symbols in the user access unit based on the first 
string of symbols, decrypting means for decrypting 
the encrypted data based on the second string of 

IS symbols to form decrypted data. 

In one preferred embodiment of the invention 
the allocation table is encrypted by the encryption 
method of the invention, in an alternate preferred 
embodiment of the invention only the data is en- 

20 crypted and the allocation table is not encrypted by 
the system of the invention. In this alternative em- 
tx>diment the system preferably includes conven- 
tional access controls or conventional encryption 
for the allocation table. 

26 In a preferred embodiment of the invention the 

decrypting means includes means for generating 
scrambling words based on the second string of 
symbols and means for decrypting the encrypted 
data with the scrambling words to form the decry p- 

30 ted data. Preferably the means for generating in- 
cludes a pseudo-random binary number generator. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 The invention can be better understood by the 

following, non-limiting, detailed description of the 
preferred eml>odiments of the invention described 
in conjunction with the accompanying drawings in 
which: 

40 Fig. 1 is a block diagram of a computer system 
in accordance with a preferred embodiment of 

the invention; 

Fig. 2 is a block diagram of a preferred embodi- 
ment of the data filter of the apparatus of Fig. 1 ; 

45 Rg. 3 is a block diagram of a preferred embodi- 
ment of the seed generator of the apparatus of 
Fig. 2 using a random seed; 
Fig. 4 is a block diagram of an alternate pre- 
ferred embodiment of the seed generator of the 

50 apparatus of Fig. 2 using the data address as 
the seed; 

Fig. 5 is a block diagram of a preferred embodi- 
ment of the pseudo-random binary number gen- 
erator of tfie apparatus of Fig. 2; 
55 Fig. 6 is a block diagram of a preferred embodi- 
ment of the scrambler/descr ambler module of 
the apparatus of Rg 2; and 
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Rg. 7 is a block diagram of a removable user 
access unit in accordance with a preferred em- 
bodiment of the invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Fig. 1 shows a general block diagram of a file- 
secure computer system according to the inven- 
tion. The system contains a data filter 10 which 
receives both data and control signals from a CPU 
12 and from a storage controller 14. Data filter 10 
is operative to pass control signal unchanged and 
to change unencrypted data received from CPU 12 
into encrypted data for transfer to storage controller 
14. Data filter 10 is also operative to change en- 
crypted data received from storage controller 14 
into decrypted data for transfer to CPU 12. 

Storage controller 14 is operative to store the 
encrypted data on non-volatile nDass storage device 
16 which can be a disk drive or any other mass- 
storage device known in the art. 

In a preferred embodiment of the invention 
storage controller 14 and mass storage 16 are part 
of the same computer as CPU 12 and data filter 
10. In an alternative preferred emtxxliment of the 
invention, storage controller 14 and mass storage 
16 are part of a remote central computer and are 
connected to data filter 1 0 by remote transmission 
lines as is welt known in the art. 

A security access port 18 has a removable 
user access unit 20 inserted therein by the user. 
Port 18 receives a seed, whose generation is de- 
scribed below, from data filter 10 and user access 
unit 20 generates a control word, by means vsrhich 
will be described more fully below, which is trans- 
mitted to the data filter for use in the encoding 
process. 

A preferred embodiment of data fitter 10 is 
shown in Fig. 2. In an encryption mode, data and 
control information are received by data filter 10 
from the computer bus, A seed generator 22 gen- 
erates a seed, which Is fed to access port 18 and a 
Pseudo-Random Binary Random Number Gener- 
ator (PRBNG) 24 receives therefrom a control word 
from which PRBNG 24 generates a scrambling 
word. The scrambling word is used by a 
scrambler/descrambler 26 to encrypt the incoming 
data and send it on to storage controller 14 for 
storage In mass storage 16. 

In a decryption mode, encrypted data and con- 
trol information are received from storage controller 
14 for decryption and passage to the computer 
bus. In the decryption mode the seed is not gen- 
erated independently by the seed generator, but is 
based on information received from the storage 
controller. In one emtxxliment of the invention, 
described more fully in conjunction with Fig. 3, the 
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encryption seed is a random number and is stored 
with the data in a seed buffer in the block header. 
When the data is read, the contents of this buffer 
are read and sent directly to the user access unit. 

5 In an alternative preferred embodiment of the in- 
vention, described more fully in conjunction with 
Fig. 4, the seed is the address of the data in mass 
storage. In this emtxxliment address data is sup- 
plied to the user access unit in both encryption and 

10 decryption modes. 

Fig. 3 shows a block diagram of a preferred 
embodiment of seed generator 22. designated by 
reference numeral 22A, utilizing a random number. 
In the encryption (write) mode access port 18 re- 
ts ceives a random number, which acts as the seed, 
from random numt>er generator 28. In order to 
allow for the subsequent decryption of the stored 
data, this number is stored in the seed buffer of the 
block header 29 of the data. The seed is preferably 

20 changed for each block of data. In the decryption 
(read) mode the seed is read from the seed buffer 
in the block header 29. 

Fig. 4 shows an alternate preferred emtxsdi- 
ment of seed generator 22, designated by refer- 

25 ence numeral 22B» in which the seed is directly 
generated from the address of the data. During 
both encryption and decryption, controller 14 
passes this information to shift register 30 which 
generates the seed. 

30 Fig. 5 shows a block diagram of a preferred 

embodiment of Pseudo-Random Binary Number 
Generator 24. PRBNG 24 converts the control word 
received from the access port into a series of 
scrambling words. These scrambling words which 

35 are in binary form are used by 
scrambler/descrambler 26 to scramble or descram- 
bie the data. The PRBNG Is based on a shift 
register 32, some of whose cell entries are 
exclusive-ored with the register's output. This de- 

40 yflce produces an apparent random series of bits, 
with a very long cycle. The cells of the register are 
used as address and data of an array of multiplex- 
ers 34 whose outputs are combined in a scram- 
bling word register 36 to form a scrambling word. 

46 More detailed information on Pseudo-Random Bi- 
nary Number Generators can be found in the arti- 
cle entitled "Pseudorandom Bit Generators In 
Stream-Cipher Cryptography" in IEEE COMPUT- 
ER. February 1991 p. 8 ff., the contents of which 

50 are included herein by reference. In that article the 
functioning of the PRBNG is described as "A feed- 
back shift register consists of n flip-flops, and a 
feedback function that expresses each new ele- 
ment a(t), when t>n. of the sequence in terms of 

55 the previously generated elements a(t-n). a(t-n-«'1). 
a(t-1).'* The design using a shift register and 
only XOR gates is one of many possible designs. 
The period of the sequence produced by the 
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PRBNG can be as large as 2". 

Referring now to Fig. 6 the scrambling word is 
exclusive-ored with the encrypted/unencrypted 
data, in scrambler/descrambler 26. by exclusive-or 
gates 38 to form decry pled/encrypted data as the 
case nnay be. 

It is thus seen that, so long as the algorithm 
used by user access unit 20 to generate the control 
word is not known, the encrypted data is safe from 
reading or deliberate modification. While the data 
can be tampered with, any such tampering will be 
dostructivG, since the charges will not be encryp- 
ted according to the samo scrambling word as the 
rest of the data. In order to avoid any such destruc- 
tion of data, suitable access controls as are known 
in the art are preferably used as an adjunct to the 
system of the present invention. Alternatively or 
additionally, the allocation table can be encrypted 
using the same system as the data. In such a 
system access to the disk as a whole will be 
denied to any user who does not have the user 
access unit. 

Figure 7 shows a block diagram of a preferred 
embodiment of user access unit 20. The unit com- 
prises a shift register 40 which receives the seed 
and passes it on to hashing function operator 42. 
which subjects the seed to a one-way hashing 
function whose parameters are set by the user and 
burled in the hashing function operator in such a 
way that it is not possible to read them back. The 
resulting hashed seed is passed to a shift register 
44 for transfer to the filter. 

Also included in user access unit 20, but not 
shown in Fig. 7 are a one time initializing mecha- 
nism for entering user parameters and a protection 
mechanism, which prevents the reading or modi- 
fication of the parameters. The hashing function 
operator may use progrannmable logic device tech- 
nology or any other suitable technology. 

In an aKernative preferred embodiment of the 
invention either or both of random noise generator 
28 and PRBNG 24 are included as part of user 
access unit 20 rather than as part of the computer. 

No one except the user knows the parameters 
of the hashing function. Nor does the user have to 
rememt>er the parameters, since they are con-, 
tained in the user access unit. An unauthorized 
user of the system will not have physical access to 
the user access unit and therefore cannot generate 
the proper control words required to read the en- 
crypted files. 

Unlike existing systems in which the algorithm 
used by the user for encoding is contained in the 
central computer, the present system has all the 
user specific information in removable user access 
unit 20. Thus even if the data itself is compromised 
by a physical or electronic break-in of the com- 
puter, the encrypted data will be safe from reading 



or modification. 

The present invention is not limited by the 
particular embodiments disclosed but includes var- 
ious changes and modifications which may be 
5 made without departing from the spirit and scope 
of the invention as defined in the following claims: 

Claims 

10 .1. A method for the secure storage and retrieval 
of data including the steps of: 

placing a removable user access unit into 
a security access port operalively associated 
with the computer: 
15 generating a first string of symbols: 

generating a second string of symbols in 
the user access unit based on the first string of 
symbols; 

encrypting the data based on the second 
20 string of symbols to form an encrypted data 

block; and 

storing the encrypted data block in a non- 
volatile mennory. 

25 2. A method according to claim 1 wherein the 
first string of symbols is generated in the com- 
puter and transmitted to the user access unit. 

3. A method according to claim 1 wherein the 
30 first string of symtx)ls is generated in the user 

access unit. 

4. A method according to any of the preceding 
claims and including the step of storing the 

36 first string of symbols together with the data 

block in the non-volatile memory. 

5. A method according to any of the preceding 
claims wherein the step of generating the first 

40 string of symbols includes the step of generat- 

ing a random string of symbols. 

6- A method according to claim 1 wherein the 
step of generating the first string of symbols 
46 includes determining the address at which the 

encrypted data is stored. 

7. A method according to any of the preceding 
claims wherein the step of generating the see- 
so end string of symbols from the first string 

includes utilizing a one-way hashing function. 

8. A method according to any of the preceding 
claims wherein the step of encrypting the data 

55 includes the step of generating a string of 

words from the second string of symtxsls and 
encrypting the data with the second string of 
words. 
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9. A method according to any of the preceding 
claims and Including the steps of: 

retrieving the stored encrypted data from 
the non-volatile memory; 

regenerating the first string of symbols; 

regenerating the second string of symbols 
in the user access unit; and 

decrypting the encrypted data based the 
second string of symbols to form decrypted 
data. 

10. A method for the retrieval of stored encrypted 
data including the steps of: 

retrieving stored encrypted data from a 
non-volatile memory; 

generating a first string of symbols; 

generating a second string of symbols in 
user access unit based on the first string of 
symbols; and 

decrypting the encrypted data utilizing the 
second string of symbols to form decrypted 
data. 

11. A method according to claim 9 or claim 10 
wherein the step of decrypting includes the 
step of generating a string of words from the 
second string of symbols and decrypting the 
encrypted data with the string of words. 

12. Apparatus for secure storage of data compris- 
ing: 

a terminal; 

a security access port operatively asso- 
ciated with the terminal adapted to receive a 
user access unit; 

seed generating means for generating a 
first string of symbols; 

word generating means for generating a 
second string of symbols In the user access 
unit based on the first string of symbols; 

encrypting means for encrypting the data 
based on the second string of symt)Ols to form 
an encrypted data block; 

a non-volatile memory; and 

storage means for storing the encrypted 
data block in the non-volatile memory. 

13. Apparatus according to claim 12 wherein the 
seed generating means Includes means for 
deriving the first string of symbols from the 
address of the encrypted data block in the 
non-volatile memory. 

14. Apparatus according to claim 12 wherein the 
seed generating means Includes an essentially 
random symbol generator, wherein the first 
string of symbols is derived from the output of 
the essentially random symbol generator. 



15. Apparatus according to any of claims 12-14 
and including means for storing the first string 
of symbols together with the encrypted data. 

5 16. Apparatus according to any of claims 12-15 
wherein the encrypting means includes means 
for generating a string of words from the sec- 
ond string of symbols and for encrypting the 
data with the string of words. 

10 

17. Apparatus according to claim 16 wherein the 
means for generating includes a pseudo- ran- 
dom binary number generator. 

IS 18. Apparatus according to any of claims 12-17 
and IrK^luding: 

retrieving means for retrieving tfie stored 
encrypted data from the non-volatile memory; 
regenerating means for re-generatIng the 
20 first string of symbols; 

means for applying the first string of sym- 
bols to the word generating means and for 
receiving therefrom a regenerated second 
string of symtx)ls; and 
25 decrypting means for decrypting the en- 

crypted data based on the second string of 
symbols to form decrypted data. 

19l A computer system comprising: 
30 a terminal; 

a security access port operatively asso- 
ciated with the terminal adapted to receive a 
user access unit; 

a non-voiatlle memory containing stored 
35 encrypted data; 

means for retrieving the stored encrypted 
data from the non-volatile memory; 

seed generating means for generating a 
first string of symbols; 
40 word generating means for generating a 

second string of symtwls in the user access 
unit based on the first string of symbols; and 

means for decrypting the encrypted data 
based on the second string of symbols to form 
45 decrypted data. 

20. Apparatus according to claim 19 wherein the 
means for decrypting includes means for gen- 
erating a string of words from the second 

50 string of symk>ols and for decrypting the en- 

crypted data with the string of words. 

21. Apparatus according to claim 20 wherein the 
means for generating Includes a pseudo-ran- 

55 dom binary number generator. 
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